How the NSA might snoop personal web data without the provider’s knowledge

One of the biggest questions out of the NSA snooping controversy was how much 9 tech vendors – Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype( msft), YouTube and Apple — knew about a National Security Administration program for snooping on their users data.

Facebook’s data center in Prineville, Ore

They all denied — in carefully worded ways — that they provided access to customer information. The source of the original story — ostensibly leaked NSA slides obtained by the Washington Post and The Guardian — indicated that the National Security Agency tapped directly into these company servers to get at customer meta data.

In a radio interview Friday on WBUR, Post reporter Barton Gellman said it’s more likely that the slide was poorly worded and that the NSA placed its own “black boxes” on vendor property next to the servers in question. Those black boxes could mirror the server and be queried as a proxy while giving those vendors plausible deniability if asked whether their own servers had been accessed.

Obviously, if that is the case it’s hard for vendors to plead ignorance to what was going on. But there are ways the government could harvest people’s Google and Facebook and other data without those vendors knowing.

First, they could eavesdrop on the HTTP traffic flowing over the internet — which is not usually encrypted — or there could be a covert back door into these services themselves, something that Jon Oltsik, senior principal analyst at Enterprise Strategy Group, doubts.

And, there have been reports that government agencies are indeed collecting data provided from internet service providers and telcos. On Friday, The Wall Street Journal said that the NSA’s gathering data on Verizon customers, is just the tip of the iceberg. According to the Journal:

“… people familiar with the NSA’s operations said the initiative also encompasses phone-call data from AT&T Inc. and Sprint Nextel records from Internet-service providers and purchase information from credit-card providers.

This is really key stuff. When you post updates to your Facebook page or Google Drive, that data typically flows unencrypted over the web. That data-in-transit could in theory also be intercepted at the routers directing traffic or at Content Delivery Network (CDN) points that optimize traffic flow. We just don’t know, because security agencies don’t want us to but the upshot is, if the government is collecting that traffic, it truly does have a ton of information about everything you do, or at least everything you say.

As we learned last year, it may well be compiling a full dossier on you (and everyone) which it’s storing in the no-longer-quite-so-top-secret giant NSA data center in Bluffton, Utah,

Beyond that, we probably won’t know the truth of what Google, Microsoft, et al. knew and if or how much they participated in snooping for years to come.

Related research and analysis from GigaOM Pro:Subscriber content. Sign up for a free trial.

How the mega data center is changing the hardware and data center markets